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A  LOGIC  FOR  THE  ANALYSIS  OF  CRYPTOGRAPHIC  PROTOCOLS 


INTRODUCTION 

In  this  report,  we  present  a  free  epistemic  logic  with  separate  means  for  explicitly  repre¬ 
senting  both  propositional  knowledge  and  knowledge  of  individuals.  The  logic  has  been  designed 
primarily  for  the  analysis  of  cryptographic  protocols,  but  it  is  not  necessarily  limited  to  this  appli¬ 
cation.  Thus,  the  logic  has  distinct  mechanisms  for  representing — e.g.,  knowing  that  k  is  Saul’s 
crypto-key  vs  knowing  k  in  the  sense  of  being  able  to  recognize  or  produce  it.  These  representa¬ 
tions  are  accomplished  by  means  of  a  standard  knowledge  operator  and  a  knowledge  predicate  re¬ 
spectively.  The  logic  presented  here  is  the  result  of  a  significant  revision  of  the  logic  given  in 
(Syverson,  1990).  The  current  version  corrects  cenain  errors  and  omissions  in  the  original  ac¬ 
count.  We  also  argue  briefly  that  the  introduction  of  a  knowledge  predicate  is  more  than  mere 
novelty;  it  facilitates  a  genuine  and  valuable  expansion  of  expressive  power. 

In  “The  Use  of  Logic  in  the  Analysis  of  Cryptographic  Protocols”  (submitted  for  publica¬ 
tion),  we  argue  that  it  is  valuable  for  a  crypto-protocol  logic  to  have  an  independently  motivated 
semantics,  one  that  explicitly  incorporates  the  cryptographic  features  of  the  logic.  In  addition  to 
other  advantages,  if  the  logic  is  shown  to  be  sound  and  complete  with  respect  to  the  semantics, 
then  we  have  strong  assurance  that  the  logic  captures  all  and  only  the  valid  reasoning  expressible 
in  the  formal  language.  One  of  the  primary  goals  of  this  report  is  to  present  such  metalogical  re¬ 
sults.  Before  proving  these,  however,  we  set  out  the  language,  semantics,  and  logic. 


THE  LANGUAGE 

The  language  contains  a  denumerable  number  of  names  of  words:  S],  S2,  S3, ...  Each  word 
should  be  thought  of  as  a  string  of  symbols  from  some  finite  alphabet,  e.g.,  a  key.  However,  since 
we  need  not  depict  the  structure  of  words  in  our  language,  they  are  represented  atomically.  The 
language  also  contains  equality  and  two  functions  taking  pairs  of  words  to  words.'  e(x,  y)  =  z 
should  be  taken  to  mean  that  z  is  the  result  of  encrypting  y  with  key  x.  d(x,  y)  =  z  should  be  taken 
to  mean  that  z  is  the  result  of  decrypting  y  using  key  x.  (x,  y,  z, ...  are  variables  ranging  over  arbi¬ 
trary  words.)  Our  language  also  contains  denumerably  many  predicate  constants,  each  of  finite 
arity  and  taking  tuples  of  word  names  as  arguments:  P],  P2,  P3, ...  Of  these  we  call  particular  at¬ 
tention  to  a  set  of  unary  epistemic  predicate  constants:  Cj, ...,  Q,.  Intuitively  CjCx)  should  be  tak¬ 
en  to  mean  that  i  knows  x,  i.e.,  i  can  recognize  or  produce  the  character  string  named  by  x.  If  i  is 
able  to  decrypt  a  message  he  receives  that  has  been  encrypted  with  key  x,  this  serves  as  evidence 


Manuscnpt  approved  October  2,  1990. 

1 .  To  be  precise  we  should  say  that  the  language  contains  the  identity  symbol  and  two  function  symbols  that  represent  equality  and 
two  functions  respectively,  but  we  adopt  common  use-mention  confusions  where  it  is  harmless. 
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that  Cjx  is  true;  he  must  have  known  the  key  since  he  was  able  to  use  it.  (It  is  assumed  that  we 
are  talking  about  symmetric  encryption  here,  i.e.,  the  encryption  and  decryption  keys  are  the 
same.) 


The  language  is  first  order  with  quantification  being  over  words.  The  basic  (open)  sen¬ 
tences  of  the  language  are  expressions  of  the  form  Pk(xi,  ....  xj)  or  Pk(si,  ...,  sj)  and  equations. 
Closed  sentences  are  those  containing  no  free  variables.  Sentences  (open  or  closed)  may  be  as¬ 
sembled  into  (finite)  complex  sentences  according  to  ordinary  recursive  formation  rules  using  the 
usual  connectives:  — i,  a,  v,  and  — The  only  remaining  feature  of  the  language  is  a  finite  set  of 
propositional  knowledge  operators:  Si , ...,  Sn.  These  are  standard  epistemic  operators  in  the  style 
of  Hintikka  (1962).  Intuitively  Sjtp  should  be  taken  to  mean  that  i  knows  the  proposition  ex¬ 
pressed  by  (p.^  (tp  is  a  variable  ranging  over  arbitrary  sentences.)  Sjtp  is  a  sentence,  provided  that 
(p  is  a  sentence.  Thus  these  operators  may  be  iterated,  although  we  will  not  have  need  to  do  so  in 
this  report.  Note  the  difference  between  Cj  and  Sj.  Cj  is  a  predicate;  it  applies  to  words  (individ¬ 
uals).  Sj  is  an  operator;  it  applies  to  sentences. 


SEMANTICS 

The  semantics  we  adopt  is  a  slight  modification  of  the  standard  Hintikka  style  possible 
world  semantics  for  epistemic  logics.  Before  setting  things  out  formally  we  will  give  an  intuitive 
picture.  First  we  have  a  set  of  possible  worlds.  These  may  be  thought  of  as  all  the  different  ways 
the  world  may  be.  On  this  set  there  is  an  accessibility  relation  between  worlds  for  each  individual 
i.  If  world  w'  is  accessible  from  w  for  a  given  individual,  then  that  individual  in  w  cannot  distin¬ 
guish  the  two  worlds  given  his  current  state  of  knowledge.  Thus,  suppose  there  are  two  worlds 
that  are  accessible  to  each  other  for  i.  In  one  of  these  worlds  it  is  raining,  and  in  the  other  it  is  not. 
In  this  case,  i  does  not  know  whether  or  not  it  is  raining  (relative  to  either  world).  If  a  sentence  tp 
is  true  in  all  the  worlds  accessible  for  i  from  some  world  Wp,  then  we  can  say  that  i  knows  tp  in 
that  world.  N.B.  (p  may  actually  be  false!  This  is  because  we  have  said  nothing  about  how  Wp 
compares  to  the  actual  world.  While  (p  may  be  false  in  the  actual  world,  if  it  is  true  in  Wp  and  in 
all  worlds  accessible  from  Wp  for  i,  then  i  knows  (p  in  Wp.  Now,  we  are  usually  worried  about 
what  someone  knows  in  the  actual  world.  So,  “i  knows  tp.”  (simpUciter)  should  be  taken  to  mean 
that  i  knows  (p  in  the  actual  world. 

The  above  corresponds  to  our  characterization  of  propositional  knowledge  by  means  of 
the  Sj  operators.  For  the  knowledge  characterized  by  the  Cj  predicates,  we  maintain  the  same  se¬ 
mantic  structure  of  worlds  and  accessibility  relations;  we  simply  add  to  it.  In  quantified  modal 
logic  one  decides  w  hether,  for  example,  P(xj, ...,  Xj^)  is  true  at  a  world  by  seeing  if  the  k-tuple  of 
values  assigned  to  xj  through  xjj  respectively  at  that  world  is  in  the  set  assigned  to  P  at  that  world. 
The  same  criterion  applies  to  sentences  formed  with  the  Cj  predicates.  This  is  sovicwhat  unusual; 
except  for  identity,  predicates  usually  receive  their  interpretation  extralogicaPy.  The  interpreta¬ 
tion  of  Cj  is  intimately  tied  to  the  semantic  structure  itself.  Qx  is  true  at  a  world  Wp  whenever  x  is 
assigned  a  value  at  Wp  and  it  is  assigned  the  same  value  at  all  worlds  accessible  from  Wp  for  i. 


2.  The  choice  of  symbols  for  knowledge  derives  from  ihe  French  w>ords  'connaitre'  and  'savoir' .  For  example,  in  French,  you 
connais  a  person  and  you  sais  that  it's  raming.  In  English,  w'hich  does  not  make  ih .  distinction,  both  of  these  mean  to  know. 
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Since  these  predicates  are  unusual,  we  shall  give  a  little  explanation  of  their  semantic  interpreta¬ 
tion. 


The  possible  worlds  represent  the  different  ways  someone  thinks  reality  might  be.  If 
world  w^  is  accessible  from  world  w  for  some  subject,  e.g.  Scott,  then  at  world  w,  he  cannot  tell 
them  apart.  From  the  perspective  of  world  w,  Scott  finds  both  w  and  w'  equally  possible  ways 
things  might  be.  Now,  suppose  some  word  s  is  present  at  one  of  these  worlds  but  not  the  other. 
(What  ‘present’  means  will  be  clearer  once  the  model  theory  is  spelled  out  below.)  Then  Scott 
cannot  tell  the  difference  between  a  world  where  s  is  present  and  one  where  it  is  not.  So,  he  must 
not  really  be  aware  of  the  word,  know  the  word,  if  he  can’t  tell  whether  it’s  there  or  not.  Under 
these  circumstances  we  would  not  v.'ani  to  say  that  he  can  recognize  or  reproduce  the  word.  Thus 
it  should  indeed  turn  out  that  Cscott(s)  is  not  true  at  w. 

Domains,  Terms,  and  Denotations 

There  is  a  potential  problem  with  our  semantics.  If  every  term  of  the  language  were  to  de¬ 
note  in  every  world,  and  if  terms  always  denoted  the  same  word  regardless  of  the  world,  then  ev¬ 
eryone  would  know  all  the  words  in  all  circumstances — assuming  all  the  words  were  named  in  the 
language.  This  is  so  because  all  the  worlds  would  have  the  same  words  in  them,  and  those  words 
would  be  named  the  same  way  at  each  of  them.  This  would  render  the  C  predicates  trivial  and 
thus  useless.  The  answer  of  course  is  to  vary  the  domain  of  quantification  from  world  to  world. 
This  will  block  the  validity  of  Vx  Cjx  as  long  as  there  are  things  in  the  domain  of  quantification  of 
some  world  that  are  not  in  the  domain  of  quantification  in  another.^  Unfortunately,  this  strategy  is 
not  sufficient  to  entirely  solve  the  problem.  For,  even  with  the  domains  varying,  a  constant  term 
will  (by  definition)  denote  the  same  word  in  all  worlds.  Thus,  any  word  that  is  given  a  name  in 
our  language  will  be  a  word  that  everyone  always  knows.  Somehow  we  need  to  have  terms  that 
may  not  denote  in  all  possible  worlds.  Fortunately,  there  is  a  way  to  deal  directly  with  nondenot¬ 
ing  singular  terms. 

Free  Logic 

Ermanno  Bencivenga  (1986)  defines  a  free  logic  as  “a  formal  system  of  quantification  the¬ 
ory,  with  or  without  identity,  which  allows  for  some  singular  terms  in  some  circumstances  to  be 
thought  of  as  denoting  no  existing  object,  and  in  which  quantifiers  are  invariably  thought  of  as 
having  existential  import.”  ^  This  is  just  what  we  want,  provided  that  we  fill  in  the  details  proper¬ 
ly- 


In  effect,  the  sr  negy  here  is  to  adopt  the  proposal  given  above,  namely  to  vary  the  domain 
of  quantification  from  world  to  world.  All  we  need  do  is  incorporate  the  correct  interpretation  of 
terms  into  this  picture.  A  singular  term  t  denotes  at  a  world  just  in  case  it  names  a  member  of  the 
domain  of  quantification  at  that  world,  i.e.,  3x  (x  =  t)  is  true  at  that  world  (x  is  a  variable  distinct 
from  t).  For  ease  of  expression,  we  define  a  predicate  expressed  by  ‘E’  such  that 


3.  Note  that  this  also  provides  a  semantic  guarantee  that  the  Barcan  Formula  is  not  valid.  We  will  return  to  this  below  where  it  will 
be  seen  to  be  a  desirable  result 

4.  op.  cU..  p.  375, 
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E(t)  =jif  3x  (x  =  t)  — ^where  x  is  a  variable  distinct  from  t.  In  place  of  the  classical  quantifier  rules, 
we  have  the  following. 

Universal  Instantiation 

From  Vx  (p  A  Et  for  any  term  t,  where  (p  is  a  sentence  in  the  language,  and 

infer  tp[t/x]  <p[t/x]  is  the  same  sentence  as  tp  except  that  all  free 

occurrences  of  x  in  <p  are  replaced  by  t 

Universal  Generalization 

From  \j/  — »  (Et  — >  (p)  where  t  is  a  term  that  does  not  occur  freely  in  xp  or  in 
infer  y  — >  Vx  (p[x/t]  any  assumption  on  which  y  — >  (Et  — >  (p)  depends 


Intuitively  understood,  these  may  help  in  comprehending  what  it  means  for  quantification 
to  always  have  existential  import.  We  need  to  spell  out  formal  models  and  interpretations  to  see 
exactly  how  these  rules  work,  and  that  is  what  we  do  now. 

Models 

A  model  is  a  tuple  <W,  Rj, ...,  Rj^,  D,  d,  a>  where  W  is  a  set  of  nonempty  possible  worlds, 
Rj, ...,  Rj,  are  binary  accessibility  relations  between  members  of  W,  and  D  is  a  domain  of  objects 
for  all  possible  worlds,  d  is  a  function  from  members  of  W  to  subsets  of  D,  thus  d(w)  is  the  do¬ 
main  at  world  w.  a  is  an  assignment  function,  which  assigns  values  to  expressions  in  the  language 
in  the  manner  given  below.  Since  we  want  to  allow  a  to  be  undefined  sometimes,  we  adopt  the 
standard  trick  of  adding  a  value  *  to  represent  being  undefined.  This  allows  us  to  have  an  assign¬ 
ment  function  that  is  total  and  yet  still  gives  us  a  means  to  say  that  terms  sometimes  fail  to  denote 
and  sentences  sometimes  do  not  have  a  definite  truth  value.  Note  that  since  an  assignment  func¬ 
tion  does  the  duty  of  both  an  interpretation  and  a  valuation,  *  can  do  the  duty  of  both  an  undefined 
truth  value  and  an  undefined  member  of  a  domain. 

a(t)  G  D  for  all  terms  t 

a(<ti, ...,  tn>)  =  <a(ti, ...,  a(tn)>  where  tj, ...,  t^  are  terms  (names  of  words) 

(We  suppress  tuple  notation  from  here  on  when  it  is  clear  what  is  meant.) 

a(f(ti . tn))  =  a(0  (a(ti. ...,  !„))  =  where  tj, ...,  tp  are  terms  (names  of  words) 

=  a(f)  (a(t| . a(t|,))  and  f  is  the  name  of  a  function  on  words 

a(P)  is  a  set  of  n-tuplcs  of  members  of  D  where  P  is  any  n-ary  predicate  letter  (n  >  1) 

Enci^-ption  and  decryption  pose  a  problem  for  an  assignment  function;  neither  the  encryp¬ 
tion  nor  the  decryption  key  is  necessarily  unique.  For  example,  in  the  RSA  algorithm  any  power 
of  a  key  is  also  a  key,  i.c.,  something  encrypted  using  a  power  of  the  encryption  key  can  be  de¬ 
crypted  using  the  usual  decryption  key,  and  vice  versa.  This  may  also  be  true  of  symmetric  en- 
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cryption  schemes.  Informally  we  shall  follow  the  conventional  pretense  that  encryption  and 
decryption  keys  are  unique  whenever  such  pretense  causes  no  harm.^  Thus,  if  k  is  the  name  of 
some  key,  k'^  is  to  be  intuitively  interpreted  as  the  name  of  the  inverse  key  corresponding  to  k.  In 
ordei  to  ensure  that  all  works  out  properly  on  the  formal  level  we  define  the  following. 


For  a  given  key  (term)  k, 

[k]  =  {t :  a(e(t,  y))  =  a(e(k,  y))  for  each  y  e  a'^(D)} 

[k'^J  =  {t :  a(d(t,  e(k,  y)))  =  a(y)  =  a(e(k,  d(t,  y)))  for  each  y  e  a‘’(D)} 


a^  is  the  restriction  of  a  to  d(w)  on  the  above  type  arguments  and  also  satisfying  the  following. 


a^(t)  is 


a(t)  if  a(t)  €  d(w) 

or  if  a(t)  =  a(f(ti, ...,  tn))  for  some 
ti, ...,  tn  s.t.  a(ti), ....  a(tn)  6d(w) 
or  if  a^(e(si,  S2))  =  a(e(k,  t))  for  some 
S},  S2  s.t.  a(si),  a(s2)  ed(w)  and  some 
k  s.t.  k'  e  [k'*]  and  aCkO  € d(w) 
or  if  a^(d(si,  S2))  =  a(d(k',  t))  for  some 
Si,  S2  s.t.  a(si),  a(s2)  Gd(w)  and  some 
k'  s.t.  k'e[k'‘],a(k)ed(w) 
otherwise 


This  is  not  as  complicated  as  it  looks.  There  are  four  cases  under  which  a  term  t  denotes  at 
a  world  w.  The  first  case  is  when  it  is  simply  given.  Perhaps  t  is  a  public  key  that  everyone 
knows,  thus  it  is  present  at  every  world.  The  second  case  is  when  t  names  the  same  thing  as  a 
function  of  terms,  and  each  of  the  arguments  of  the  function  denotes  at  w.  The  third  case  is  when 
e(k,  t)  is  assigned  the  same  value  as  a  word  that  is  an  encrypted  word  at  w,  and  the  decryption  key 
also  denotes  at  w.  It  is  important  to  note  that  it  is  not  enough  that  a(e(k,  t))  =  a(s)  for  some  s  that 
denotes  at  w.  s  must  be  an  encrypted  word  in  w,  not  just  in  D.  Intuitively,  in  order  to  apply  a  de¬ 
cryption  key  to  a  word  in  world  w,  that  word  must  be  an  encrypted  word  in  w.  The  fourth  case  is 
similar  to  the  third  except  that  it  deals  with  decrypted  words  rather  than  encrypted  words. 


aw(s  =  t)  is 


aw(Cit)  is 


• 

T  if  aw(s)  =  a^(t)  and  a(s)  €  d(w) 

'  F  if  a(s)  ^  a(t)  and  a(s),  a(t)  e  d(w) 

.*  otherwise 

T  if  a(t)  e  d(w')  for  all  w'  such  that  wRjw' 

]  F  if  a(t)  e  d(w)  and  a(t)  €  d(w')  for  some  w'  s.t.  wRjw' 

.*  otherwise 


5.  For  convenience,  we  also  restrict  ourselves  to  cryptosystems  with  two  sided  inverses.  This  is  not  a  serious  restric¬ 
tion  as  it  covers  those  cryptosystems  that  are  currently  in  widest  use. 
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For  n-ary  predicate  letters  P,  other  than  equality  and  Cj  (for  i  =  1, k),  we  have 


aw(P(ti, tj,))  is 


T 
-  F 
.* 


if  a(ti), a(tn)  €  d(w)  and  a(ti . tp)  e  a(P) 

if  a(ti), ....  a(tn)  €  d(w)  and  a(ti, tn)  €  a(P) 
otherwise 


For  an  arbitrary  sentence  tp. 


aw(Si(p)  is 


T  if  a^'((p)  =  T  for  all  w'  such  that  wRjw' 

]  F  if  a^'((p)  is  defined  for  all  w'  such  that  wRjw' 
and  avv'Ctp)  =  F  for  some  w'  such  that  wRjw' 
.*  otherwise 


aw(Vx  (p)  is 


T  if  avv((p[t/x])  =  T  for  ail  t  such  that  a(t)  e  d(w) 

“  F  if  avv((p[t/x])  =  F  for  some  t  such  that  a(t)  e  d(w) 

otherwise 


where  tp[t/x]  is  the  same  sentence  as  (p  except  that  all  free  occurrences  of  x  in  (p  are  replaced  by  t 


aw(<p  A  y)  is 


a^Ctp  V  y)  is 


a^Ctp  ^  y)  is 


aw(-'<p)  is 


T  if  a^Ctp)  =  T  and  a^(y)  =  T 

'  F  if  aw((p)  =  F  or  a^Cy)  =  F 

and  both  a^((p)  and  are  defined 
otherwise 

T  if  a^Ctp)  =  T  or  a^Cy)  =  T 
i  and  both  a^^Ctp)  and  a^(y)  are  defined 
F  if  aw(9)  =  F  and  a^Cy)  =  F 
otherwise 

T  if  aw((p)  =  F  or  a^Cy)  =  T 

and  both  avv(9)  and  a^vCNO  are  defined 
F  if  a^Ccp)  =  T  and  a^(y)  =  F 

.  *  otherwise 

T  if  aw((p)  =  F 

'  F  if  aw(<p)  =  T 

>•  if  avi,((p)  =  * 


KNOWLEDGE  REPRESENTATION 

Now  that  the  basic  linguistic  and  semantic  structures  are  in  place,  we  can  say  something 
about  the  mechanisms  for  knowledge  representation.  One  important  question  is  whether  or  not 
we  need  the  knowledge  predicates  (C  predicates)  as  primitives  at  all.  Is  there  not  some  way  that 
we  can  define  them  in  terms  of  the  knowledge  operators?  Obvious  candidates  for  defining  Cjt  are 
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Sj(Et)  and  3x  Si(x  =  t).  Indeed  these  are  the  standard  ways  of  representing  this  type  of  knowl¬ 
edge.  Debate  on  which  of  these  is  more  appropriate  is  forestalled  by  their  equivalence  in  the 
above  semantics  and  is  a  fortiori  precluded  once  we  realize  that  neither  can  ever  be  false.  In  any 
given  world  they  are  both  either  true  or  undefined.  Nonetheless,  perhaps  this  indicates  not  the  in¬ 
dispensability  of  the  knowledge  predicates,  but  the  inadequacy  of  the  assignment  function. 

Perhaps  the  assignment  function  makes  unnecessary  distinctions  in  the  case  of  the  knowl¬ 
edge  predicates.  The  way  the  assignment  function  works  for  the  C  predicates  does  seem  a  little 
odd.  Recalling  the  possible  worlds  explanation  of  them  given  above  may  clarify  the  reasons  for 
the  assignment  of  T,  but  what  about  the  distinction  between  being  assigned  F  and  being  unde¬ 
fined?  Obviously  an  atomic  sentence  that  contains  a  term  that  fails  to  denote  at  a  world  should 
fail  to  have  a  truth  value  at  that  world.  (Recall  that  ours  is  a  logic  of  epistemic,  not  alethic^,  mo¬ 
dalities.  If  ‘Pegasus’  does  not  denote  at  a  world,  it  doesn’t  mean  simply  that  he  does  not  exist 
there;  it  means  that  he  is  not  known  there.)  This  explains  the  conditions  under  which  a^(Cjt)  is 
undefined.  As  for  falsity,  from  i’s  perspective  Qt  should  never  be  false.  How  could  i  think  that  he 
does  not  know  a  word  (in  the  C  sense)?  To  think  about  the  word  at  all  he  must  know  what  it  is. 
But,  others  may  be  in  a  position  to  realize  that  i  does  not  know  a  word,  and  there  may  be  things 
that  follow  logically  from  the  falsity  of  Qt  even  if  no  subject  knows  it.  So,  we  must  be  able  to  as¬ 
sign  the  value  F  to  Cjt.  We  have  already  seen  that  t  must  denote  for  Qt  to  be  assigned  a  truth  val¬ 
ue  at  all,  and  if  t  were  to  denote  in  all  worlds  accessible  from  w  for  i,  then  Qt  would  clearly  be 
true.  Thus,  the  only  way  for  Qt  to  be  assigned  the  value  F  at  a  world  w  is  if  t  denotes  at  w  but 
fails  to  denote  at  some  world  accessible  from  w  for  i. 

This  justification  still  does  not  ensure  the  necessity  of  primitive  knowledge  predicates. 
Perhaps  it  is  the  semantics  of  the  knowledge  operators  that  must  be  changed,  and  once  this  is  done 
correctly,  the  predicates  will  be  reducible  to  the  operators.  We  could  redefine  the  assignment  of 
truth  values  to  the  knowledge  operators  so  that,  for  example,  Sscoii9  is  false  at  w  if  and  only  if  it 
is  defined  at  w  and  false  or  undefined  at  some  world  accessible  from  w  for  Scott.  This  would 
make  Qt  and  Sj(Et)  semantically  equivalent.  Unfortunately  such  a  move  would  obliterate  the  dis¬ 
tinction  between  Scott’s  knowing  that  (p  is  true  and  his  recognizing  it  as  meaningful.  This  distinc¬ 
tion  is  important  to  the  evaluation  of  cryptographic  protocols,  the  primary  purpose  for  which  this 
logic  was  devised.  For  example,  let  us  suppose  that  the  security  of  a  protocol  we  are  evaluating 
depends  on  the  secrecy  of  Lxjuie’s  key  k.  The  protocol  should  be  secure  enough  if  we  can  con¬ 
clude  that  penetrator  Scott  does  not  know  that  k  is  Lx>uie’s  key.  But,  it  is  still  more  secure  if  Scott 
does  not  even  know  that  “k  is  Louie’s  key.”  is  meaningful.  At  the  very  least  there  is  a  difference 
between  these  two  situations  of  how  much  additional  information  the  penetrator  must  obtain  to 
render  the  protocol  insecure.  Thus,  from  a  semantic  point  of  view,  the  knowledge  predicates  are 
both  useful  and  noneliminable. 


THE  LOGIC 

It  should  be  clear  from  the  language  set  out  above  that  the  logic  we  are  about  to  present 
will  be  a  quantified  modal  logic.  These  are  notoriously  difficult  semantically.  In  addition  to  the 
problems  associated  with  modality  per  se  there  are  a  number  of  problems  associated  with  the  in- 


6.  Aleihic  modalities  are  the  modalities  of  necessity  and  possibility. 


7 


P.  F.  SYVERSON 


teraction  of  modality  and  quantificadon7  We  intend  to  skirt  as  many  of  the  issues  as  we  can  that 
do  not  bear  direcily  on  the  subject  of  this  report.  For  instance,  we  have  chosen  the  logic  T  as  the 
basic  epistemic  logic  because  we  have  no  need  to  represent  iterated  propositional  knowledge. 
However,  this  should  not  be  viewed  as  a  commitment  to  a  position  on  introspection.  In  applica¬ 
tions  where  such  needs  might  arise  I  would  be  perfectly  willing  to  use  other  logics,  such  as  S4  or 
S5,  if  this  did  not  create  any  problems.  (We  will  see  below  that  we  must  reject  both  the  Barcan 
Formula  and  its  converse,  thus  S5  is  already  ruled  out.) 

‘Standard’  Axioms  and  Rules 

Axioms  1  through  5  are  the  universal  closures  of  the  following,  where  there  are  no  freely 
occurring  constant  terms  in  a,  P,  or  y. 

1.  a->((3->a) 

2.  (a  .p  ->  Y)  (a  ^  P  ^  ^  Y) 

3.  ( — Ip  — >  — lOc)  — >  ( — iP  — >  ot  — >  p) 

4.  Sj  ot  A  Sj  (ot  — >  p)  — >  S|  P) 

5.  Sj  a  ->  a 

The  reason  for  the  restrictions  on  axioms  1  through  5  is  to  make  sure  that  they  are  true  in 
all  models.  Without  the  restrictions,  an  axiom  would  not  have  a  defined  truth  value  at  a  world  if  it 
contained  a  term  that  failed  to  denote  there.  While  the  idea  of  axioms  that  are  not  necessarily  true 
at  all  worlds  is  somewhat  bizarre,  there  is  no  harm  in  it;  however,  for  convenience  and  to  avoid 
unnecessary  confusion,  we  adopt  the  above  restrictions. 

6.  Vx  (x  =  x) 

7.  Vx  Vy  (x  =  y  .(p  ->  tp') 

(where  tp'  is  the  result  of  placing  no,  some,  or  all  occurrences  of  ‘x’  in  <p  with  ‘y’,  and  where 
neither  tp  nor  (p'  contain  any  free  occurrences  of  any  constant  terms) 

There  arc  also  two  rules  of  inference; 

R1 .  Fromtp  and  <p  — >  V  infer  \p  (Modus  Ponens) 

R2.  From  h  <p  infer  I-  S,<p  i  =  1, ...,  n  (Epistemic  Generalization) 

9  and  v  may  be  either  open  or  closed  in  modus  ponens  but  not  in  epistemic  generalization. 
(The  reason  for  the  restriction  to  closed  sentences  in  this  case  is  explained  below.)  Even  these  ba¬ 
sic  axioms  and  rules  are  problematic.  The  axioms  together  with  R2  yield  the  omniscience  prob¬ 
lem;  each  subject  knows  all  logical  truths.  Various  attempts  have  been  made  to  solve  this  and 
other  related  problems  by  restricting  the  logic  in  one  way  or  another  (Eberle  1974;  Fagin  and 


7.  For  an  analysis  of  some  of  the  major  issues  c.f.  (Garson  1984). 
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Halpem  1985;  Levesque  1983).  Other  research  has  been  done  on  non-monotonic  doxastic  logic 
for  c>^mputer  security  in  which  posited  beliefs  may  be  taken  back  (Moser  1989).  Still  others  have 
analyzed  complexity  issues  in  reasoning  about  knowledge  and  belief  (Goldwasser  et  al.  1985; 
Halpem  and  Vardi  1986).  The  difficulties  these  papers  deal  with  are  serious  problems  and  not  just 
for  the  correct  theoretical  representation  of  reasoning.  From  a  practical  standpoint,  in  computer 
security  we  don’t  want  to  waste  time  worrying  about  inferences  that  no  penetrator  will  ever  actu¬ 
ally  draw.  We  also  don’t  want  to  be  overly  confident  about  what  we  ourselves  can  discern  about  a 
penetrator. 

Despite  these  problems,  logics  that  model  reasoning  without  restrictions  of  complexity 
have  been  quite  useful  in  uncovering  important  properties  of  distributed  systems  and  of  crypto¬ 
graphic  protocols.  And,  there  is  invariably  a  trade-off  between  the  accuiacy  gained  by  less  ideal¬ 
ized  analyses  and  the  ease  and  speed  with  which  such  analyses  are  done.  This  trade-oflf  is  all  the 
more  pronounced  if  the  idealized  system  has  associated  semantic  techniques  available.  So,  while 
we  acknowledge  this  problem,  we  do  not  attempt  to  deal  with  it  here. 

Because  of  the  omniscience  problem,  it  is  perhaps  wrong  or  at  least  misleadip«^  to  interpret 
the  Sj’s  and  Q’s  epistemically.  We  have  done  so  partly  to  maintain  terminological  consistency 
with  previous  work  and  partly  because  that  work  is  not  so  far  off.  Jon  Barwise  has  said  that  “in¬ 
formation  travels  at  the  speed  of  logic,  genuine  knowledge  travels  only  at  the  speed  of  cognition 
and  inference,”  and  that  “much  of  the  work  in  the  logic  of  knowledge  is  best  understood  in  terms 
of  the  logic  of  information.”  (Barwise  1989,  p.  204)  I  am  entirely  in  agreement  with  these  senti¬ 
ments.  Consequently,  Sjtp  is  probably  more  accurately  understood  as  saying  that  i  has  information 
that  cp.  Similarly,  Cjx  is  probably  best  understood  as  saying  that  i  has  sufficient  information  to 
recognize  x  or  to  produce  it.  Despite  these  points,  we  will  retain  the  terminology  we  started  with 
for  the  remainder  of  the  report. 

Rules  for  Quantification  and  for  F'''Tting  Types  of  Knowledge 

The  basic  quantifier  rules  are  what  distinguish  this  as  a  free  logic — as  opposed  to  a  classi¬ 
cal  one.  The  rules  were  introduced  above,  and  we  restate  them  here  as  official  rules  of  the  logic. 
3x  is  defined  as  — iVx— i  as  usual. 

R3.  (Universal  Instantiation) 

From  Vx  (p  A  Et  for  any  term  t,  where  (p  is  a  sentence  in  the  language,  and 

infer  (p[t/x]  tp[t/x]  is  the  same  sentence  as  (p  except  that  all  free 

occurrences  of  x  in  (p  are  replaced  by  t 

R4.  (Universal  Generalization) 

From  Y  — >  (Et  — >  q))  where  t  is  a  term  that  does  not  occur  freely  in  y  or  in 

infer  \ji  — >  Vx  (p[x/t]  any  assumption  on  which  y  — >  (Et  — >  cp)  depends 


Next  we  give  the  primary  rule  for  relating  the  two  types  of  knowledge. 

R5.  (Knowledge  Relation) 

From  Sjcp  infer  Cjt  where  (p  is  an  arbitrary  sentence  and  t  is  any  temi  occurring 

freely  in  cp 
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As  an  example,  suppose  Ed  knows  that  s  =  f(tj, ....  t^).  Then,  Ed  can  recognize  all  the  ar¬ 
guments  and  the  value  of  the  function.  It  may  seem  to  follow  from  this  rule  that  all  the  subjects 
know  all  the  words.  By  epistemic  generalization,  all  subjects  know  all  logical  truths.  And  since 
t  =  t  is  a  logical  truth,  it  would  seem  to  follow  from  epistemic  generalization  and  knowledge  rela¬ 
tion  that  all  subjects  know  t.  This  appears  to  be  disastrous  since  it  means  in  particular  that  all  sub¬ 
jects  know  all  passwords  and  keys.  One  might  argue  that  this  is  not  a  problem  since  no  dangerous 
knowledge  about  keys  and  passwords  derives  from  this.  But  we  need  not  consider  that  because 
the  derivation  is  flawed  anyway.  The  rule  of  epistemic  generalization  says  that  if  p  is  a  theorem, 
then  Sjp  is  a  theorem.  But  t  =  t  is  not  a  theorem.  Vx  (x  =  x)  is  a  theorem  (in  fact  an  axiom),  but 
t  =  t  only  follows  from  this  provided  that  we  also  have  Et.  We  must  be  careful  to  distinguish  be¬ 
tween  Vx  Si((p(x))  and  Si(Vx  (p(x)). 

Given  the  above  discussion,  it  should  be  clear  that  we  must  reject  the  converse  of  the  Bar- 
can  Formula  (CBF),  i.e.,  the  conditional  Sj(Vx  (p(x))  Vx  SjCtpfx)).  We  must  reject  the  Barcan 
Formula  (BF)  as  well.  Here  is  an  example  that  illustrates  why  we  must  do  so.  Suppose  that  Ed 
knows  all  the  words.  Furthermore,  suppose  that  for  each  word  that  he  knows,  he  knows  that  he 
knows  it.  Then  Vx  S£d(C£(jx)  is  true.  It  does  not  intuitively  follow  from  this,  however,  that  he 
knows  that  he  knows  all  the  words.  For  example,  suppose  that  all  words  are  passwords  and  that 
Ed  has  found  all  of  them  by  searching  in  some  way.  This  does  not  mean  that  he  necessarily  knows 
that  he  has  now  found  them  all  and  can  stop  searching.  In  other  words  S£(j(Vx  C£jjx)  does  not  in¬ 
tuitively  follow  from  Vx  S£cj(C£fjx).  Thus  both  BF  and  CBF  must  be  rejected  in  our  system. 
Since  unrestricted  epistemic  generalization  leads  to  CBF  we  reject  it  in  favor  of  the  restricted  ver¬ 
sion.  And,  the  system  also  supports  the  reasoning  in  the  above  example;  Vx  S£d(C£{jx)  is  true  at 
w  if  Ed  knows  all  the  words  at  w,  but  for  S££j(Vx  C£dx)  to  be  true  at  w,  Ed  would  have  to  know  all 
the  words  at  all  worlds  accessible  from  w  for  him.  Once  we  have  shown  soundness,  the  failure  of 
BF  follows. 

Cryptographic  Axioms 

Before  stating  the  cryptographic  axioms,  it  will  be  useful  to  have  a  definition  for  the  no¬ 
tion  of  an  inverse  key.  This  definition  is  completely  eliminable  and  is  made  only  for  ease  of  nota¬ 
tion  and  comprehension. 

Definition  of  a  (Two  Sided)  Key  Inverse 

Vx,  y  [  I(x,  y)  *-*  Vz  (d(y,  e(x,  z))  =  z  =  e(x,  d(y,  z)))] 

We  are  now  in  a  position  to  state  the  two  cryptographic  axioms. 

Secrecy  Axiom 

8.1.  Vx,  y,  z,  u  (  Kx.  u)  a  CjU  a  y  =  e(x,  z)  a  SjOxj,  X2  (y  =  e(xi,  X2)))  C^z] 

Authenticity  Axiom 

8.2.  Vx,  y,  z,  u  (  Kx,  u)  a  Cju  a  y  =  d(x,  z)  a  Si(3xi,  X2  (y  =  d(xi,  X2)))  Cjz] 

Obviously  these  axioms  are  intended  to  apply  to  an  asymmetric  (public  key)  cryptosys¬ 
tem.  They  apply  equally  well  to  a  symmetric  cryptosystem.  In  this  case  we  simply  have  the  add- 
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ed  information  that  x  =  u,  and  we  can  drop  the  leftmost  conjunct  in  the  antecedent  since  it  is 
always  true. 

The  last  conjunct  in  the  antecedent  of  each  axiom  may  seem  unnecessary,  especially  since 
reasoners  in  this  system  are  fairly  idealized.  Can  we  not  just  assume  that,  if  i  knows  x  and  y,  he 
will  try  to  plug  them  into  every  formula  at  his  disposal  and  see  what  results?  Perhaps.  But,  even 
in  this  case  it  is  clearer  to  be  explicit  about  our  idealized  assumptions.  Thus,  if  we  wish  to  assume 
that  i  can  always  figure  out  that  y  is  an  encrypted  word  (when  it  is  indeed  an  encrypted  word), 
then  we  should  do  so  explicitly.  We  should  then  assume  the  last  conjunct  as  a  premise  rather  than 
deleting  it  from  the  axiom. 


METALOGIC 

With  our  logic  fully  set  out  we  can  now  begin  our  metalogical  analysis.  Actually  we  have 
already  engaged  in  some  analysis  with  our  observations  about  the  Barcan  Formula  and  its  con¬ 
verse.  The  first  result  we  derive  is  the  soundness  of  the  logic.  For  the  remainder  of  the  report  we 
adopt  the  following  standard  notational  conventions.  Let  F  stand  for  a  finite  set  of  sentences  and 
(p,  etc.  stand  for  arbitrary  sentences  as  before.  T  h  9’  means  that  (p  is  derivable  using  the  in¬ 
ference  rules  from  F  and  the  axioms.  As  usual,  we  follow  the  convention  of  writing  ‘htp’  for 
‘F  htp’  when  F  consists  solely  of  theorems.  ‘F  N=(p’  means  that,  in  all  models,  (p  is  true  at  all 
worlds  where  all  the  members  of  F  are  true. 

Soundness 

Theorem:  If  F  I-  9,  then  F  N  9 

To  prove  this  we  need  the  following  lemma. 

Lemma:  All  axioms  are  valid  in  all  models  provided  that  all  freely  occurring  terms  denote. 

We  assume  that  the  lemma  holds  for  axioms  1  through  5  since  the  proof  is  but  a  minor 
variation  on  the  standard  soundness  result  forT.  (c.f.  Hughes  &  Cresswell  1968  or  Chellas  1980) 
Also,  the  result  is  trivial  for  the  identity  axioms,  6  and  7.  So,  all  that  remains  is  to  prove  the  lem¬ 
ma  for  the  cryptographic  axioms,  8.1  and  8.2.  Since  the  cases  are  very  similar,  we  prove  only 
that  the  secrecy  axiom  is  valid  in  all  models.  First,  note  that  the  axiom  cannot  be  undefined  since 
it  contains  no  free  variables.  If  at  some  world  w  we  instantiate  x,  y,  z,  u  to  tj,  t2^  t3^  and  t4  respec¬ 
tively,  the  resulting  sentence  is  Kt],  t4)  a  Cjt4  a  t2  =  eCtj,  t3)  a  SjIBx],  X2  (t2  =  e(xi,  X2)))  ->  Qt3, 
where  a(ti), ...,  a(t4)  e  d(w).  Assume  that  the  antecedent  is  true  at  w.  Then,  t4  e  [tf*],  and,  at  each 
world  w'  accessible  for  i  from  w  there  exist  some  S],  $2  such  that  a,v'(e(si,  S2))  =  a(t2)  = 
a(e(ti,  t3)).  These  conditions  are  sufficient  to  guarantee  that  t3  denotes  at  each  such  w'.  Thus, 
Cit3  is  true  at  w.  So,  the  whole  conditional  is  true  at  w,  and,  by  universal  generalization,  8.1  is 
true. 


We  now  proceed  to  prove  the  theorem  by  showing  that  all  the  ways  that  9  can  follow  from 
F  in  a  proof  are  ways  that  preserve  validity. 
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Case  i:  (p  is  an  axiom  or  member  of  F.  Then  F  t=  (p  trivially. 

Case  ii:  (p  is  obtained  by  modus  ponens  from  vp  and  \p  — >  tp.  We  proceed  by  strong  induction. 
Suppose  that  soundness  holds  for  all  lines  of  a  derivation  up  to  tp.  Then,  by  inductive  hypothe¬ 
sis,  F  t=  ij/  and  F  t=  \p  — >  tp.  So,  clearly  F  ^  <p  by  the  definition  of  the  assignment  function. 

Case  Hi:  cp  is  obtained  by  epistemic  generalization.  Then  cp  is  SjVp  for  some  \p.  Proceeding  again 
by  induction,  we  have  F  t=  \|/-  Since  it  must  be  the  case  that  I-  xp,  by  inductive  hypothesis  1=  \p. 
So  \p  is  true  in  all  worlds,  hence  true  in  all  worlds  accessible  for  i  from  any  given  world,  i.e., 
t=  Sj\p.  Thus,  a  fortiori  F  N  SjXp. 

Caseiv:  q)  is  obtained  by  universal  instantiation.  Then,  tp  is  of  the  form  \p[t/x].  Proceeding  by  in¬ 
duction,  we  assume  F  N=  Vx  \p  a  Et.  So,  F  ^Vx  \p  and  F  1=  Et.  If  x  does  not  occur  freely  in  \p, 
then  Vxxp  is  true  iff  \p  is  true,  and  \p  is\p[t/x]  in  this  case.  So  F  t=  \p[t/x].  If  x  does  occur  freely 
in  \p,  then  F  t=  vp[t/x]  by  the  definition  of  the  assignment  function. 

Case  V.-  cp  is  obtained  by  universal  generalization.  So  tp  is  of  the  form  \p  — >  Vx  0[x/t],  and,  by  in¬ 
ductive  hypothesis,  F  t=  vp  ^  Et  -4  0  where  t  is  an  arbitrary  term  not  occurring  freely  in  \p  or 
any  member  of  F.  We  may  assume  F  vp.  (If  \p  is  false  the  result  is  trivial.  And,  if  \p  is  unde¬ 
fined,  by  inductive  hypothesis  all  of  F  is  undefined  and  again  the  result  is  trivial.)  So,  by  defi¬ 
nition  of  the  assignment  function,  F 1=  xp  ^  Vx  0[x/t]. 

Case  vi:  cp  is  obtained  by  R5,  knowledge  relation.  This  rule  can  be  seen  to  be  valid  simply  by  in¬ 
specting  the  assignment  function. 


QED 


Completeness 

Theorem:  If  F  N  (p,  then  F  h  tp. 

We  give  a  Henkin  style  proof  for  the  completeness  of  the  logic.  That  is,  we  construct  a 
model  where  the  worlds  are  maximal  consistent  sets  of  sentences  and  show  that  every  consistent 
set  is  satisfiable.  (It  is  a  well  known  result  that  this  is  equivalent  to  completeness.  For  those  unfa¬ 
miliar  with  this,  here  is  a  very  brief  explanation.  Restricting  ourselves  to  the  maximal  consistent 
sets  containing  F,  if  F  {tp}  is  valid  in  a  set  of  worlds,  then  F  u  {-i  cp}  is  not  simultaneously  sat¬ 
isfiable  in  any  member  of  that  set.  Assuming  F  itself  is  consistent,  if  F  u  {-i  (p)  is  inconsistent,  it 
can  only  be  because  F  h  tp.  Thus,  if  we  can  prove  that  the  inconsistency  of  F  u  {— i  (p)  follows 
from  its  failure  to  be  simultaneously  satisfiable,  we  will  have  shown  completeness.  We  do  this  by 
proving  the  contrapositivc — i.e.,  that  every  consistent  set  is  satisfiable.) 

We  now  take  an  arbitrary  consistent  set  of  sentences  and  show  that  it  is  satisfiable.  As¬ 
sume  that  we  have  a  set  of  sentences  F  that  is  consistent  with  respect  to  the  logic.  By  Linden- 
baum’s  Lemma,  this  can  be  extended  to  a  maximal  consistent  set  v  in  some  language  L. 
Unfonunately,  the  basic  Lindenbaum  method  does  not  guarantee  quite  enough.  In  order  to  prove 
what  we  want  we  must  construct  our  maximal  consistent  sets  so  that  the  following  condition  is 
satisfied. 


o>completeness:  If  w  h  Et  — >  tp  for  every  term  t  of  L,  then  w  1-  Vx  (p[x/t]. 
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Note  that  this  is  equivalent  to: 

If  w  u  {— >  Vx  (p)  is  consistent,  then  for  some  term  t  of  L,  w  u  {-i  (Et  (p[t/x])}  is  consistent. 

We  say  that  an  (o-complete,  maximal  consistent  set  of  sentences  of  L  is  saturated  (for  L). 
To  produce  a  saturated  set,  we  proceed  by  Lindenbauming  and  show  that  our  construction  satisfies 
the  equivalent  formulation  of  co-completeness.  Begin  with  a  consistent  set  F,  with  all  sentences 
written  in  L.  Order  all  sentences  of  L,  {Aj,  A2, Then,  define  a  series  of  sets  Mq  =  F,  Mj, 
M2, ...  by  letting  Mj+i  =  Mj  u  {Aj+i}  if  doing  so  leaves  Mj+i  consistent.  Otherwise  =  Mj. 
The  union  of  the  Mfs  is  maximally  consistent  by  Lindenbaum’s  Lemma.  To  ensure  co-complete¬ 
ness  we  modify  the  construction  slightly.  If  Aj^.|  is  -1  Vx  cp  and  Mj  u  {Aj+i)  is  consistent,  then 
we  let  Mj+i  =  Mj  u  { Aj+j,  —1  (Et  — »  (p[t/x])}  where  t  is  a  term  foreign  to  Mj  u  {Aj+j }.  We  claim 
that  Mji+i  is  consistent  if  Mj  u  (Aj+j)  is  consistent.  If  not,  then  it  must  be  the  case  that 
Mj  u  {Aj+i }  h  Et  ^  tp[t/x].  Since  t  does  not  occur  in  Mj  u  { Aj+j },  we  can  apply  universal  gen¬ 
eralization  to  this  in  order  to  get  that  Mj  u  { Aj+j }  h  Vx  tp.  But  then  Mj  u  { Aj+j }  is  inconsistent. 
Contradiction.  This  construction  preserves  consistency  and  guarantees  both  maximality  and  co- 
completeness. 

We  now  proceed  to  the  construction  of  the  standard  model.  Again,  starting  with  a  consis¬ 
tent  set  F  of  sentences  of  L,  we  extend  this  to  a  saturated  set  v  by  means  of  the  above  procedure. 
Now,  consider  a  language  L*  containing  infinitely  more  terms  than  L.  We  define  the  standard 
model  <W,  R j, ...,  R^,  D,  d,  a>  as  follows.  Let  W  be  the  set  of  all  sets  w  of  sentences  satisfying 
the  following: 

(1)  Each  world  w  is  a  saturated  set  for  a  language  L^,  and  is  a  sublanguage  of  L* 
such  that  there  are  infinitely  many  terms  of  L*  not  occurring  in  L^. 

(2) v€W. 

(3)  For  all  terms  s  and  t  which  are  members  of  both  L^  and  L^^',  s  =  t  e  w  iff  s  =  t  e  w'. 

(4)  If  P(ti,  ...,tf,)  is  an  expression  of  both  L^  and  Lv^,,%  P(t],  ...,tn)  e  w  iff  P(ti,  ...,tn)  e  w'. 

Clauses  (3)  and  (4)  require  agreement  between  worlds  with  regard  to  the  membership  of 
certain  sentences.  Clause  (2)  is  present  simply  to  ensure  that  other  worlds  accommodate  to  v  in 
such  agreement. 

The  assignment  function  for  terms  is  given  by  a(t)  =  |s  s  =  t  e  U’W). 

For  an  arbitrary  n-ary  predicate  letter  P  the  assignment  function  is  given  by 
a(P)={<ti,...,tn>:  P(ti,...,tn)e  UW}. 

Definition  of  the  assignment  function  for  other  arguments  is  as  above. 

The  domain  is  given  by  D  =  {a(t):  t  €  L^.j,  and  thus  d(w)  =  {a(t):  t  eL^). 

For  each  i,  wRjw'  iff  Sjtp  g  w  =>  tp  e  w'. 
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With  the  specification  of  the  standard  model  finished  we  proceed  to  the  main  step  in  our 

completeness  proof,  the  truth  lemma.  Once  the  truth  lemma  is  established  we  will  have  shown 

completeness  since  we  will  have  shown  that  T  (an  arbitrary  consistent  set  of  sentences)  is  satisfied 

by  the  standard  model. 

Truth  Lemma:  If  tp  is  a  sentence  of  then  ay^,((p)  =  T  iff  tp  €  w. 

Case  i:  tp  is  of  the  form  xp  a  0,  \|/  v  6,  \p  — >  6,  or  — ixp.  All  of  these  follow  by  trivial  inductive  ar¬ 
guments. 

Case  ii:  (p  is  of  the  form  s  =  t.  If  s  =  t  e  w,  then  s  e  1 6  L^.  So,  a(s)  €  d(w)  and  a(t)  6  d(w). 

We  need  that  a(s)  =  a(t).  Suppose  u  €  a(s).  Then  u  =  s  e  w'  for  some  w'.  Consider  a  language 
formed  by  adding  u  to  (together  with  all  resulting  expressions).  There  exists  a  saturat¬ 
ed  set  of  sentences  of  w"*"  containing  u  =  t.  So,  a(s)  =  a(t)  and  aw(s  =  t)  =  T.  If 

aw(s  =  t)  =  T,  then  a(s),  a(t)  €  d(w)  and  a(s)  =  a(t).  So  s,  t  6  Since  w  is  maximal  consistent, 
s  =  tewors9ttew.  But,  if  a(s)  =  a(t),  there  is  some  world  in  W  containing  s  =  t.  Thus,  by 
clause  (3)  of  the  definition  of  W,  s  =  t  e  w. 

Case  Hi:  tp  is  of  the  form  Cjt.  If  Cjt  e  w,  then,  by  maximal  consistency,  either  Sj(t  =  t)  e  w  or 
-iSi(t  =  t)  €  w.  We  will  see  in  case  v  below  that  if  -iSi(t  =  t)  €  w,  then  t  ^  t  e  w'  for  some  w' 
such  that  wRjw',  which  is  impossible.  Thus,  Si(t  =  t)  e  w.  Therefore,  t  =  t  6  w'  for  all  w'  such 
that  wRjw'.  So,  a(t)  e  d(w')  for  all  w'  such  that  wRjw',  and  a^(Cjt)  =  T.  If  Cjt  €  w,  then,  by 
knowledge  relation  and  the  maximal  consistency  of  w,  Sj\j/  €  w  for  any  sentence  \p  containing 
any  free  occurrences  of  t.  In  particular,  Si(t  =  t)  €  w.  And,  as  we  have  already  mentioned,  this 
leads  to  a  contradiction. 

Caseiv:  (p  is  of  the  form  P(ti,  ...,  tn).  If  P(ti,  ...,  t^)  ew,  then  a(<ti .  tn>)  €a(P)  and 

a(ti), ...,  a(tn)  €d(w).  But,  a(<ti,  ....  tn>)  €a(P)  and  a(ti), ...,  a(tn)  ed(w)  iff  aw(P(ti, ...,  !„))  = 
T.  If  P(ti,  ....  tj,)  «w,  then  — iP(ti,  ...,  tj,)  €w.  Thus,  by  clause  (4)  of  the  definition  of  W, 
a(<ti, ...,  tn>)  <?a(P).  So,  aw(P(ti, ...,  tn))  T. 

Case  v;  tp  is  of  the  form  SjXp.  If  SjXp  €  w,  then  xp  e  w'  for  all  w'  such  that  wRjw'.  But,  by  induc¬ 
tive  hypothesis,  xp  ew'  for  all  w'  such  that  wRjw'  iff  a^'(xp)  =  T  for  all  such  w'.  Thus, 
avv'(SiXp)  =  T.  If  SjXp  i  w,  then  -iSjXp  €  w.  We  claim  that  if  — iSjxp  e  w,  then  there  is  a  w'  e  W  such 
that  wRjw'  and  — iXp  e  w'.  To  show  this  assume  that  — 'Sjxp  e  w  and  let  A  =  {tp:  Sjtp  g  w)  u  {-iXp). 
It  is  easy  to  see  that  A  is  consistent  and  contains  only  terms  of  It  is  not  clear  that  there  are 
infinitely  many  terms  of  foreign  to  A.  Thus,  it  is  not  clear  that  A  can  be  extended  to  a  satu¬ 
rated  set  of  sentences  for  L^.  Let  A  be  the  set  of  tenns  occurring  in  L*  but  not  in  L^v.  We  can 
use  A  to  extend  A  to  a  saturated  set,  but  that  set  will  not  be  in  W  because  it  will  not  have  infi¬ 
nitely  many  terms  of  L*  foreign  to  it.  We  solve  this  by  partitioning  A  into  two  infinite  sets  Aj 
and  A2.  We  then  use  Aj  to  extend  A  to  a  saturated  set  w',  and  keep  A2  to  ensure  that  there  are 
infinitely  many  terms  of  L*  foreign  to  L^'.  To  establish  the  claim  it  remains  only  to  show  that 
wRjw',  but  this  follows  trivially  from  the  composition  of  A.  With  the  claim  thus  shown,  it  fol¬ 
lows  by  inductive  hypothesis,  that  if  Sjxp  e  w,  then  a^ISiXp)  ^  T. 

Case  vi:  tp  is  of  the  form  Vx  xp.  By  universal  instantiation  and  ca-completeness,  Vx  xp  e  w  is 
equivalent  to  xp[t/x]  ew  for  all  t  in  But,  by  inductive  hypothesis,  this  is  equivalent  to 
aw('p[t/x])  =  T  for  all  t  in  L^.  And,  by  the  definition  of  d,  this  is  equivalent  to  aw(xp[t/x])  =  T 
for  all  t  such  that  a(t)  e  d(w),  which  is  equivalent  to  a,^,(Vx  xp)  =  T. 

QED 
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Corollary:  The  deduction  thecrem  fails  to  hold  for  this  logic. 

This  becomes  obvious  when  we  look  at  our  rule  of  universal  instantiation.  From 
Vx  cp  A  Et  we  can  infer  (p[t/x].  However,  from  Vx  <p  we  cannot  infer  Et  — >  (p[t/x],  for  if  t  fails  to 
denote,  Et  — >  (p[t/x]  will  have  an  undefined  truth  value.  So,  for  example,  Vx  (x  =  x)  is  an  axiom 
and  thus  true  at  all  worlds.  If  the  deduction  theorem  were  to  hold,  then  we  could  conclude  from 
universal  instantiation  and  completeness  that  Et  ^  t  =  t  is  true  at  all  worlds.  But,  this  is  clearly 
undefined  at  any  world  where  t  fails  to  denote.  If  we  assume  that  all  terms  denote  everywhere,  we 
can  prove  a  fairly  standard  first  order  deduction  theorem.  However,  such  a  restriction  would  re¬ 
move  most — if  not  all — of  the  interesting  innovations  of  our  logic.  Basically,  the  absence  of  a  de¬ 
duction  theorem  means  that  the  logic  does  not  have  enough  expressive  power  to  capture  its  own 
consequence  relation.  While  somewhat  surprising  there  is  no  cause  for  concern,  especially  when 
we  realize  that  this  limitation  applies  only  in  those  cases  where  one  literally  does  not  know  what 
one  is  talking  about.  As  mentioned  above,  ours  is  a  logic  of  epistemic,  not  alethic,  modalities. 

CONCLUSIONS 

In  this  report  we  have  set  out  a  logic  and  a  formal  semantics  for  that  logic.  We  have  sub¬ 
jected  the  logic  to  metalogical  analysis.  In  particular,  we  have  proven  its  soundness  and  com¬ 
pleteness.  While  these  are  interesting  results  in  their  own  right,  they  are  especially  important  for 
logics  that  are  to  be  applied  to  safety  critical  or  security  critical  areas  such  as  cryptographic  proto¬ 
cols.  Soundness  and  completeness  do  not  guarantee  that  there  will  be  no  error  in  evaluating  the 
security  of  a  protocol.  But,  they  do  guarantee  that  there  will  be  no  formal  error.  Once  we  have 
formally  specified  a  protocol,  a  logical  derivation  of  any  result  concerning  the  specification  will 
be  correct — i.e.  true  of  that  specification — and  anything  that  can  be  formally  shown  to  be  a  se¬ 
mantic  consequence  of  that  specification  will  be  provable  in  the  logic.  Of  course,  there  is  no  guar¬ 
antee  that  the  specification  is  correct,  but  no  logic  can  provide  such  a  guarantee  since  this  is  not 
part  of  the  formal  analysis.  And,  it  is  only  in  the  formal  analysis  that  logic  can  hope  to  play  a  role. 

Finally,  we  note  that,  although  the  logic  has  been  devised  specifically  as  a  logic  for  crypto¬ 
graphic  protocol  analysis,  its  ability  to  represent  knowledge  in  the  sense  of  familiarity  is  clearly 
applicable  in  other  contexts.  How  this  and  other  unique  features  of  the  logic  might  be  applied, 
and  in  which  contexts,  is  an  interesting  area  for  further  study. 
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